Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2023-20862

CVE-2023-20862: VMware Spring Security Auth Bypass Flaw

CVE-2023-20862 is an authentication bypass flaw in VMware Spring Security that allows users to remain authenticated after logout. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2023-20862 Overview

CVE-2023-20862 is an Authentication Bypass vulnerability in VMware Spring Security that affects the logout functionality when using serialized security contexts. The vulnerability stems from improper cleanup of the security context during logout operations, which can result in users remaining authenticated even after explicitly logging out of an application.

This flaw represents a significant security concern for applications relying on Spring Security for authentication management. When users attempt to log out, the security context stored in serialized form is not properly cleared, and the HttpSessionSecurityContextRepository cannot explicitly save an empty security context. This breaks the fundamental security guarantee that logout operations should fully terminate user sessions.

Critical Impact

Users may remain authenticated after logout, potentially allowing unauthorized access to protected resources and session persistence attacks. This undermines the security model of applications that depend on proper session termination.

Affected Products

  • VMware Spring Security versions 5.7.x prior to 5.7.8
  • VMware Spring Security versions 5.8.x prior to 5.8.3
  • VMware Spring Security versions 6.0.x prior to 6.0.3
  • NetApp Active IQ Unified Manager for Linux
  • NetApp Active IQ Unified Manager for VMware vSphere
  • NetApp Active IQ Unified Manager for Windows

Discovery Timeline

  • 2023-04-19 - CVE-2023-20862 published to NVD
  • 2025-02-05 - Last updated in NVD database

Technical Details for CVE-2023-20862

Vulnerability Analysis

This vulnerability is classified under CWE-459 (Incomplete Cleanup), which describes a situation where a product does not properly clean up and remove temporary or supporting resources after they have been used. In the context of Spring Security, this manifests as a failure to properly clear the security context during logout operations when serialized versions are in use.

The core issue lies in the interaction between the logout support mechanism and the HttpSessionSecurityContextRepository. When a user initiates a logout, the framework attempts to clear the authentication state. However, when using serialized security contexts, the cleanup process fails to properly nullify or remove the stored authentication data. Furthermore, the repository implementation lacks the capability to explicitly persist an empty security context, meaning even if the application attempts to clear the authentication, the change is not properly saved.

This creates a scenario where the security context retains the previous authentication state, effectively keeping the user logged in despite having performed a logout operation.

Root Cause

The root cause of CVE-2023-20862 is the incomplete implementation of security context cleanup in Spring Security's logout handling mechanism. The vulnerability has two components:

  1. Serialization handling defect: When security contexts are serialized (common in distributed session scenarios), the logout mechanism does not properly deserialize, clear, and re-serialize the context to reflect the logged-out state.

  2. Empty context persistence limitation: The HttpSessionSecurityContextRepository implementation does not support explicitly saving an empty or null security context, preventing applications from forcefully clearing authentication state.

Attack Vector

The attack vector for this vulnerability requires an authenticated user context. An attacker who has obtained valid session credentials or has access to a legitimate user session could exploit this vulnerability in the following manner:

The vulnerability is network-accessible and requires low privileges (an authenticated session). After a legitimate user logs out, their session may retain authentication state. If an attacker can access or reuse the supposedly-invalidated session (through session fixation, XSS, or physical access to the device), they could gain continued access to the application as the previously authenticated user.

This is particularly dangerous in shared computing environments, kiosk scenarios, or situations where session tokens may be intercepted or stored in browser history.

Detection Methods for CVE-2023-20862

Indicators of Compromise

  • Unexpected session activity after users have confirmed logout
  • Authentication tokens or session IDs remaining valid after logout operations
  • User complaints about still being logged in after explicit logout attempts
  • Audit logs showing continued access from sessions that should have been terminated

Detection Strategies

  • Monitor application logs for authentication events following logout operations from the same session
  • Implement session validation checks that verify security context state matches expected logout behavior
  • Deploy runtime application security testing (RAST) tools to detect persistent authentication states
  • Review Spring Security configuration for serialized context usage patterns

Monitoring Recommendations

  • Enable detailed logging for Spring Security authentication and logout events
  • Implement alerting on session duration anomalies where sessions persist beyond expected logout timeframes
  • Track and correlate logout events with subsequent authentication-required requests from the same session
  • Monitor for patterns of session reuse that indicate failed logout operations

How to Mitigate CVE-2023-20862

Immediate Actions Required

  • Identify all applications using affected Spring Security versions (5.7.x, 5.8.x, 6.0.x)
  • Upgrade Spring Security to patched versions: 5.7.8, 5.8.3, or 6.0.3 respectively
  • Review and test logout functionality after applying patches to confirm proper session termination
  • Consider implementing additional session invalidation measures as defense-in-depth

Patch Information

VMware has released security patches addressing this vulnerability. Users should upgrade to the following versions based on their current deployment:

  • Spring Security 5.7.x users: Upgrade to version 5.7.8 or later
  • Spring Security 5.8.x users: Upgrade to version 5.8.3 or later
  • Spring Security 6.0.x users: Upgrade to version 6.0.3 or later

For detailed patch information and upgrade guidance, refer to the Spring Security CVE-2023-20862 Advisory. NetApp customers should consult the NetApp Security Advisory NTAP-20230526-0002 for product-specific guidance.

Workarounds

  • Implement explicit HTTP session invalidation in custom logout handlers as a supplementary measure
  • Configure shorter session timeouts to limit the window of exposure for persistent sessions
  • Add custom logout success handlers that forcefully clear all authentication-related session attributes
  • Consider implementing stateless authentication mechanisms (such as JWT with short expiration) if serialized context persistence is problematic
bash
# Configuration example - Force session invalidation on logout in Spring Security
# Add to your SecurityConfig.java or application configuration

# For Spring Security 5.x/6.x, ensure logout configuration includes:
# .logout()
#   .invalidateHttpSession(true)
#   .clearAuthentication(true)
#   .deleteCookies("JSESSIONID")
#   .logoutSuccessUrl("/login?logout")

# Verify Spring Security version in Maven/Gradle
mvn dependency:tree | grep spring-security
# or
gradle dependencies | grep spring-security

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne